Cross-Device Tracking Requires Strong Privacy and Security Standards

As many people are now aware, your online activity is being tracked. As you move between different connected devices, from your cell phone to your laptop to your smart TV, companies are watching, recording, and analyzing your viewing, shopping, and behavioral data. Previously, your activity on each of these devices was isolated within the device. However, as we increasingly change between devices in the course of our day, advertising companies are tracking your online activity between devices in order to create a detailed profile of you through the use of cross-device tracking. The amount and granularity of data that your online activities create is only growing as more devices are connected to the Internet and as our devices become more mobile. Due to the amount of geolocation data that your phone, laptop, and smart TV produce, companies not only know what you are doing online, but where you are. The Federal Trade Commission (FTC), understanding the privacy implications of cross-device tracking, will be holding a workshop on November 16, 2015 on cross-device tracking; CDT submitted comments to the FTC last Friday in anticipation of this workshop.

The privacy issues here are not merely abstract. For example, through cross-device tracking a company could see that an individual searched for sexually transmitted disease (STD) symptoms on her personal computer, looked up directions to a Planned Parenthood on her phone, looked at pictures of cats on her phone for thirty minutes while sitting stationary in a pharmacy, then returned to her apartment. While previously the various components of this journey would be scattered among several services, cross-device tracking allows companies to infer that the user received treatment for an STD, a very sensitive and private set of facts.

Cross-device tracking is currently performed through either deterministic or probabilistic means. Deterministic cross-device tracking is mainly available to companies that provide a service that requires a log-in. Once an individual logs-in, the company can track the user’s activities across devices. Probabilistic cross-device tracking is performed through the aggregation of information from different devices, such as IP address, device type, web browser, and other settings like fonts to create a “digital fingerprint” that links one individual across devices. This aggregated information is then put into a statistical model to identify which user is using which device.

Users are also being tracked across devices through the use of ultrasonic inaudible audio beacons, which link devices that are close in proximity to one another. Audio beacons are deployed when a user encounters an ad online and the advertiser drops a cookie on the computer while also playing an ultrasonic audio sound through the use of the speakers on the computer or device. The inaudible code is recognized and received on the other smart device by the software installed on it, which can set the same cookie value and link the two devices. Audio beacons are more accurate than probabilistic tracking, are concealed from individuals, and are impossible for users to control.

Although not all advertising companies use cross-device tracking, the ability to better understand users and their buying habits is attractive because companies can demonstrate that their ad resulted in a sale instead of just a view by the user. Currently, users are largely unaware of this information. Probabilistic tracking is particularly invisible to users and has been the subject of criticism from an Internet standards body because of its potential to undermine trust in the entire Internet.

In discussing cross-device tracking, CDT agrees that probabilistic and deterministic cross-device tracking terms are important categories for understanding the issue. However, CDT does not believe that these categories should result in different policy outcomes. In both cases users are often unaware of the wealth and detail of information that is being collected about their online and offline activities and the significant privacy invasions that result. The kind and extent of data that is recorded about users contains sensitive personally identifiable information and is often difficult or impossible for users to discover or control.

In the case of both types of tracking the best solution is increased transparency and a robust, meaningful opt-out system. If cross-device tracking companies cannot give users these types of notice and control, they should not engage in cross-device tracking. If they continue to do so then the FTC should consider enforcement actions against those companies on the basis that this very invasive tracking is unfair to consumers and should be considered illegal.